<p>Development tools and frameworks usually have options to make debugging easier for developers. Although these features are useful during
development, they should never be enabled for applications deployed in production. Debug instructions or error messages can leak detailed information
about the system, like the application’s path or file names.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The code or configuration enabling the application debug features is deployed on production servers or distributed to end users. </li>
  <li> The application runs by default with debug features activated. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>Do not enable debugging features on production servers or applications distributed to end users.</p>
<h2>Sensitive Code Example</h2>
<p><code>Throwable.printStackTrace(...)</code> prints a Throwable and its stack trace to <code>System.Err</code> (by default) which is not easily
parseable and can expose sensitive information:</p>
<pre>
try {
  /* ... */
} catch(Exception e) {
  e.printStackTrace(); // Sensitive
}
</pre>
<p><a
href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.html">EnableWebSecurity</a>
annotation for SpringFramework with <code>debug</code> to <code>true</code> enables debugging support:</p>
<pre>
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

@Configuration
@EnableWebSecurity(debug = true) // Sensitive
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  // ...
}
</pre>
<p><a
href="https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)">WebView.setWebContentsDebuggingEnabled(true)</a>
for Android enables debugging support:</p>
<pre>
import android.webkit.WebView;

WebView.setWebContentsDebuggingEnabled(true); // Sensitive
WebView.getFactory().getStatics().setWebContentsDebuggingEnabled(true); // Sensitive
</pre>
<h2>Compliant Solution</h2>
<p>Loggers should be used (instead of <code>printStackTrace</code>) to print throwables:</p>
<pre>
try {
  /* ... */
} catch(Exception e) {
  LOGGER.log("context", e);
}
</pre>
<p><a
href="https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.html">EnableWebSecurity</a>
annotation for SpringFramework with <code>debug</code> to <code>false</code> disables debugging support:</p>
<pre>
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

@Configuration
@EnableWebSecurity(debug = false)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  // ...
}
</pre>
<p><a
href="https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)">WebView.setWebContentsDebuggingEnabled(false)</a>
for Android disables debugging support:</p>
<pre>
import android.webkit.WebView;

WebView.setWebContentsDebuggingEnabled(false);
WebView.getFactory().getStatics().setWebContentsDebuggingEnabled(false);
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
  Exposure</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/489">CWE-489 - Active Debug Code</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/215">CWE-215 - Information Exposure Through Debug Information</a> </li>
</ul>

